I finally decided to replace my Firewall, an UltraSparc 5 running Linux with something which is smaller, consumes less energy and produces less noise. I cam upon the PC Engines WRAP which is with 15x15x2cm considerably smaller than the Sparc. It has a serial port, three ethernet-ports and runs its OS from a Compact Flash II Card.

There’s a tutorial on Installing Debian on a USB flash with everything encrypted. After a first try, I decided to leave out the “encrypted” part, its complicated and I have no decent way of entering any passwords at boot.

For the WRAP, there some things which differ from some USB-media wich you have to take care of:

There is no real-time clock. Therefore you need to turn off the filesystem-check by time gone unchecked:
tune2fs -i 0 /dev/whatever

Clock-source should be pit or jiffies, with scx200_hrt I got me a running clock of a one-minute deviation per second.
echo pit jiffies > /sys/devices/system \
/clocksource/clocksource0/current_clocksource

You want to minimize writes on the Flash, thus you best put /var/lock, /var/tmp, /var/run and /tmp onto a tmpfs, as described in the above tutorial.

The Kernel sometimes is a bit too verbose, this will fix that:
echo 5 > /proc/sys/kernel/printk

It’s also slow, and the new apt feature to download diffs of the package-indices does heavily use disk and cpu to save bandwidth. Not a good idea in this case. Turn it off in /etc/apt/apt.conf:
Acquire
{
Pdiffs "false";
};

Finally, you might want a kernel which does only that which is needed, loads no modules (which puts the brake on some rootkits which want to install themselves as kernel-modules). You can try and err, but as it happens, somebody else (me) already did, so heres the .config for a pc engines WRAP, kernel 2.6.18 with the grsecurity kernel patch.